Method of implementing in an electronic component a cryptographic algorithm for finding the public exponent

ABSTRACT

The invention concerns a method for implementing in an electronic component a cryptographic algorithm using calculating means. The invention is characterized in that it consists in carrying out the following steps: a) selecting a value e among a specific number of values e I , e i  being integers, b) checking if e i  verifies a predetermined relationship: if so, then e=e i , and storing e for use in calculating said cryptographic algorithm.

The invention concerns a method of implementing, in an electronic component, a cryptographic algorithm.

The invention also relates to the corresponding electronic component.

Such components are used in applications where access to services or data is severely controlled. They have an architecture formed around a microprocessor and memories, including a program memory of the ROM type (“Read Only Memory” in English) which contains the secret number or numbers d.

These components are used in computer systems, on board or not; they are in particular used in chip cards, for certain applications thereof. These are for example applications of access to certain databanks, banking applications, remote payment applications, for example for television, petrol dispensing or passage through motorway tolls.

These components or cards therefore use a cryptographic algorithm for ensuring the enciphering of data sent and/or the deciphering of data received when these must remain confidential.

In general terms and briefly, the function of these cryptographic algorithms is in particular the enciphering or the digital signature of the message. From this message applied as an input to the card by a host system (server, bank dispenser etc) and many secrets contained in the card, the card in return supplies to the host system the enciphered or signed message, which for example enables the host system to authenticate the component or the card, to exchange data, etc.

The characteristics of the cryptography algorithms are known: calculations made, parameters used. The only unknown is the secret number or numbers contained in program memory. The entire security of these cryptography algorithms relates to this secret number or numbers contained in the card and unknown to the world outside this card. This secret number cannot be deduced solely from knowledge of the message applied as an input and the enciphered message supplied in return.

However, it has become clear that external attacks enable ill-intentioned third parties to find the secret number or numbers contained in this card. In the field of chip cards, amongst others, there exist several possible attacks, one of which is known as “fault attack”.

In this type of attack, the attacker injects any error during the calculation of a cryptographic algorithm, for the purpose of exploiting the presence of this error in order to extract secret information.

The error may also result from a calculation error due to the hardware implementing the cryptographic algorithm; it is nevertheless considered, in either case, that it is a case of a fault attack.

This type of attack can in particular be envisaged with the RSA algorithm (from the name of its authors) Rivest, Shamir and Adleman), which is the most used in cryptography in this field of application. The security of the RSA algorithm is based on the difficulty of factorising large numbers. These algorithms use in particular exponentiation calculations to the power of d, d being a secret number.

The principal steps of the RSA algorithm are stated briefly.

A number N is established which is the product for two prime numbers p and q (N=p.q), and a public exponent or public key e and a private exponent or private or secret key d, satisfying the equation: e.d=1(modulo λ(N)),  (1)

-   -   λ(.) being the Carmichael function.

According to a first embodiment of the so-called standard RSA algorithm, the public parameters are (N,e) and the private parameters are (N,d). Given x lying in the range ]0,N[, the public operation on x, which may for example be the enciphering of the message x or the checking of the signature x, consists of calculating: y=x^(e) modulo N  (2)

The corresponding private operation, which may for example be the deciphering of the enciphered message or the generation of a signature x, consists of calculating: y^(d) modulo N  (3)

-   -   with x=y^(d) modulo N since e.d=1(modulo λ(N)).

Another operating mode known as CRT mode since it is based on the Chinese remainder theorem (“Chinese Remainder Theorem” or CRT in English) and four times faster than that of the standard RSA algorithm, will be presented. According to this CRT mode RSA, the calculations are not performed directly modulo N but first of all calculations are performed modulo p and modulo q.

The public parameters are (N,e) but the private parameters are (p,q,d) or (p,q,dp,dq,iq) with d _(p) =d modulo(p−1), d _(q) d modulo(q−1)

-   -   and i_(q)=q⁻¹ modulo p.

By means of equation (1), there are obtained: ed _(p)=1 modulo(p−1) and ed _(q)=1 modulo(q−1)  (4)

The public operation is performed in the same way as with the standard operating mode; on the other hand, for the private operation, there are first of all calculated: x_(p)=y^(d) ^(p) mod p and x_(q)=y^(d) ^(q) mod q

-   -   next, by application of the Chinese remainder theorem, x=y^(d)         mod N is obtained by:         x=CRT(x _(p) ,x _(q))=x _(q) +q[i _(q)(x _(p) −x _(q))modulo         p]  (5)

The RSA algorithm has been presented with two prime factors p and q in order to simplify the disclosure. It is possible to extend it to the case where N is the product of two integers p and q such that hcf(p,q)=1. In this case, d _(p) =d(modulo λ(p)), d _(q) =d(modulo λ(q)),

-   -   i_(q) remains unchanged compared with the previous case,         ed _(p)=1(modulo λ(p)) and ed _(q)=1(modulo λ(q)),     -   and the calculations of x_(p), x_(q) and x are unchanged.

This extension applies both to standard mode and to CRT mode.

A description will now be given of an example of a fault attack based on the obtaining of two signatures of the same message, one correct x and the other incorrect denoted {circumflex over ( )}x.

The incorrect signature was for example obtained in the following manner. The attacker, by any method, injects an error during the calculation of x_(p), but not during that of x_(q). The value of x_(p) is then incorrect and denoted {circumflex over ( )}x_(p). On the other hand, the value of x_(q) is correct. Because of this, when the values {circumflex over ( )}x_(p) and x_(q) are recombined by applying the Chinese remainder theorem, the resulting signature {circumflex over ( )}x is incorrect.

It then suffices for the attacker, who of course also knows the public parameters (N,e), to calculate the highest common factor (hcf) with N, that is to say: hcf({circumflex over ( )}x−x, N).

However, hcf({circumflex over ( )}x−x, N)=q. He then obtains the secret factor q and therefore p and d_(p) and d_(q). Because of this, the RSA code is effectively broken.

In other words, if someone is capable of injecting any error during a calculation modulo p whilst the calculation modulo q is correct or vice-versa, he can completely break the RSA code.

It is also possible to break the RSA code using an incorrect signature of a known message. Several cases of fault attacks are presented in the publication “On the Importance of Checking Cryptographic Protocols for Faults” by D. Boneh, R. A. DeMillo and R. J. Lipton, Advances in Cryptology, EUROCRYPT'97, pp. 37-51, to which reference can be made.

A first countermeasure for avoiding this type of scenario consists of recalculating the entire algorithm. The values obtained at the end of the successive calculations are compared. If they are identical, it is assumed that no fault has been injected. A problem with this approach is that it does not detect a permanent fault. For example, it is not possible to discern an attack in which the error injected consists of the value of a memory bit always being fixed at 0 or at 1 (“sticky bit” in English).

Another countermeasure to the fault attack is described by Shamir in the patent document WO 98 52319.

According to this countermeasure the following algorithm is proceeded with:

-   -   1. Choose a random number r of low value,     -   2. Calculate:         x_(rp)=y^(d) modulo r.p, and         x_(rq)=y^(d) modulo r.q;     -   3. If x_(rp)≠x_(rq) (modulo r), then there is a fault (perhaps         caused by an attack) and therefore interruption of the         algorithm, otherwise     -   4. Apply the Chinese remainder theorem to x_(rp) and x_(rq), in         order to issue x as an output.

Thus the calculations are performed respectively modulo r.p and modulo r.q instead of modulo p and modulo q. Next, it is checked that the two values x_(rp) and x_(rq) obtained by these calculations are also modulo r. If these two values are different, it is certain that there has been an error. On the other hand, if they are equal, it can be assumed that there is no error, with a probability of 1/r of being mistaken in this assumption.

One drawback of this method is that it is probabilistic, that is to say the errors are detected with a probability of less than 1 and that consequently they are not all detected. In addition it is expensive in calculation time. Another drawback of the Shamir method is that it functions only for the CRT mode. However, it can also be envisaged using the standard mode of the RSA algorithm.

The best possible protection for protecting from fault attacks consists of checking that the value x obtained during the private operation (3) or (5) (that is to say either in standard mode or in CRT mode of the RSA algorithm) satisfies equation (2) y=x^(e) modulo N of the public operation. This is because, when this equation is satisfied, it is possible to be sure that there has been no error during the performance of the private operation of the RSA algorithm.

However, the component or device implementing the private operation does not always have available the public exponent e, in particular when it executes only the private operation.

In the light of the above, the invention proposes a method for performing certain steps of a cryptographic algorithm using a public exponent e which is not known a priori.

This method makes it possible in particular to effect a countermeasure, in particular to fault attacks, which offers the best possible protection even when the public exponent e is not known.

The object of the invention is a method of implementing, in an electronic component, a cryptography algorithm using calculation means, principally characterised in that it consists of performing the following steps:

-   -   a) choosing a value e from amongst a given number of values         e_(i), e_(i) being integer numbers,     -   b) testing whether the value e_(i) chosen satisfies a         predetermined equation:         -   if such is the case, then e=e_(i), and storing e with a view             to its use in calculations of the said cryptography             algorithm,         -   if such is not the case, reiterating the previous steps             choosing another value of e_(i) and if no value of e_(i) can             be attributed to e then noting that the calculations of the             said cryptography algorithm using the value e cannot be             made.

According to one embodiment of the invention, it consists, prior to step b), of choosing a value Y lying in the range ]0,N[and allocating to a value X the result of the operation Y^(d) modulo N, d and N being given integer numbers, and it consists of the predetermined equation of step b) being X^(e) ^(i) mod N=Y

Preferably Y=2 is chosen.

The cryptography algorithm can be based on an algorithm of the RSA type, in particular in standard mode or in CRT mode.

According to another embodiment, the predetermined equation of step b) is: e_(i)d_(p)=1 (modulo λ(p)), p and d_(p) being given integer numbers and λ(.) being the Carmichael function.

The number d_(p) can be obtained by d_(p)=d (modulo λ(p)), d being a predetermined integer.

According to one characteristic of the invention, d_(q) and q being given integer numbers, with hcf(p,q)=1, step b) consists of performing the following steps: testing whether e_(i)d_(p)=1 (modulo λ(p)),

-   -   if such is the case, and if e_(i)<λ(p), then e=e_(i) and storing         e with a view to its use in calculations of the said         cryptography algorithm,     -   if such is the case, and if e_(i)≧λ(p), then testing whether         e_(i)d_(q)=1 (modulo λ(q)); if such is the case, then e=e_(i)         and storing e with a view to its use in calculations of said         cryptography algorithm,     -   if one of the above two tests is not satisfied, reiterating the         previous steps using another value of e_(i) and if no value of         e_(i) can be attributed to e then noting that the calculations         of the said cryptography algorithm using the value e cannot be         made.

The number d_(q) can be obtained by d_(q)=d (modulo λ(q)), d being a predetermined integer.

The cryptography algorithm is advantageously based on an algorithm of the RSA type in CRT mode.

Preferably e_(i)=2¹⁶+1 or e_(i)=3 is chosen.

According to one characteristic of the invention, a value e_(i) having been allocated to e, it consists of obtaining, at the end of a private operation of the RSA algorithm, a value x from a value y and of the fact that the said calculation using a value e consist of checking whether y=x^(e) modulo N, N being a predetermined integer number.

Another object of the invention is an electronic security component comprising calculation means, a program memory and a working memory and data communication means, characterised in that it implements the method as previously described.

The invention relates in particular to a chip card comprising an electronic component as described above.

Other particularities and advantages of the invention will emerge clearly from a reading of the description given by way of non-limiting example and with regard to the accompanying FIG. 1, which depicts schematically the elements of a chip card able to implement the invention.

The embodiments are described in the context of chip cards, but can of course apply to any other electronic security device or component provided with cryptographic calculation means.

As shown in FIG. 1, the chip card 1 comprises a microprocessor 2 coupled to a fixed memory (ROM) 3 and a random access memory (RAM) 4, the whole forming an assembly allowing, amongst other things, the execution of cryptographic algorithms. More precisely, the microprocessor 2 comprises the arithmetic calculation means necessary for the algorithm, as well as circuits for transferring data with the memories 3 and 4. The fixed memory 3 contains the program executing the cryptographic algorithm in source code form, whilst the random access memory 4 comprises registers able to be updated for storing results of the calculations.

The chip card 1 also comprises a communication interface 5 connected to the microprocessor 2 to allow the exchange of data with the external environment. The communication interface 5 can be of the “contact” type, being in this case formed by a set of contact pins intended to connect to a contactor of an external device, such as a card reader, and/or of the “contactless” type. In the latter case, the communication interface 5 comprises an antenna and radio communication circuits allowing data transfer by wireless connection. This connection can also allow a transfer of energy supplying the circuits of the card 1.

A description will now be given of a method for validating the value of a public exponent e which is not known a priori.

It is based on the following observation: in 90% of cases, the value of e is e₀=2¹⁶+1, in 5% of cases the value of e is e₁=3 and in other cases the value of e is other.

The method then consists of choosing e₀ and verifying that e=e₀; if e≠e₀, then an attempt is made with e₁.

It may happen that, for a certain application corresponding to 5% of other cases, e is not equal to either e₀ or e₁. Thus the value of e is more generally designated by e_(i). And the method finally consists of choosing a value e_(i) from amongst the e_(i) values envisaged and verifying that e=e_(i).

According to a first embodiment, valid for the standard or CRT modes of the RSA algorithm:

-   -   a value Y lying within a range ]0,N[, is arbitrarily chosen,     -   a value e_(i) is chosen,     -   a calculation is made of X=Y^(d) modulo N by (3) in standard         mode or by (5) in CRT mode     -   if X^(e) ^(i) mod N=Y then e=e_(i)     -   and e is stored     -   otherwise another value is chosen for e_(i).

It is possible advantageously to choose Y=2 so as to accelerate the exponentiation calculation Y^(d) which appears in equation (3) or (5): this then amounts to making additions instead of multiplications.

Another embodiment based on equation (4) is now described; it is valid only in CRT mode but is then more effective than the previous embodiment;

-   -   a value e_(i) is chosen,     -   it is tested whether e_(i)d_(p)=1 modulo(p−1), (or whether         e_(i)d_(p)=1 (modulo λ(p)) in the general case)     -   if yes and if e_(i)<p (or if e_(i)<λ(p) in the general case),         then e=e_(i) and e is stored     -   if yes and if e_(i)≧p, (or if e_(i)≧λ(p) in the general case)         then e=e_(i) with a very high probability of around 1-2/p.

In the case where e_(i)≧p (or if e_(i)≧λ(p) in the general case), the ambiguity can be removed with a probability of 1 by testing whether e_(i)d_(q)=1 modulo(q−1) (or whether e_(i)d_(q)=1 (modulo λ(q)) in the general case). If such is the case, e=e_(i) and e is stored.

However, in the majority of cases (e_(i)=2¹⁶+1 or e_(i)=3), e_(i)<p (or e_(i)<λ(p) in the general case) since p has a size of 512 bits or more.

If one of the tests is not satisfied, another value is chosen for e_(i).

If for one or other embodiment there does not exist amongst the e_(i) values a value such that e=e_(i), then it is not possible to make the calculations involving e.

When e is known, through one or other of these embodiments, it is then possible to verify each private operation (3) or (5) by checking that y=x^(e) modulo N or more generally to make calculations using the value e which is stored.

As has been seen, this method can of course be applied to a countermeasure.

It is more rapid than the countermeasure described in the prior art which consists of recalculating the whole of the algorithm, that is to say making at least a second exponentiation calculation to the power of d, d being the size of N, and comparing the values obtained at the end of the successive calculations. The method according to the invention also consists of making a second exponentiation calculation but to the power of e; however, e is small.

It also makes it possible to detect a permanent fault.

It applies both in the case of the standard mode of the RSA algorithm and in the case of the CRT mode as well as the extension of these modes. 

1. A method of implementing, in an electronic component, a cryptography algorithm using calculation means, wherein it consists of performing the following steps: a) choosing a value e from amongst a given number of values e_(i), e_(i) being integer numbers, b) testing whether the value e_(i) chosen satisfies a predetermined equation: if such is the case, then e=e_(i), and storing e with a view to its use in calculations of the said cryptography algorithm, if such is not the case, reiterating the previous steps choosing another value of e_(i) and if no value of e_(i) can be attributed to e then noting that the calculations of the said cryptography algorithm using the value e cannot be made.
 2. A method according to claim 1, wherein, prior to step b), it consists of choosing a value Y lying in the range ]0,N[and allocating to a value X the result of the operation Y^(d) modulo N, d and N being given integer numbers, and in that the predetermined equation of step b]) is X^(e) ^(i) mod N=Y
 3. A method according to claim 2, wherein Y=2.
 4. A method according to claim 1 wherein the cryptography algorithm is based on an algorithm of the RSA type.
 5. A method according to claim 4, wherein the RSA-type algorithm is in standard mode or CRT mode.
 6. A method according to claim 1, wherein the predetermined equation of step b) is: e_(i)d_(p)=1 (modulo λ(p)), p and d_(p) being given integer numbers and λ(.) being the Carmichael function.
 7. A method according to claim 6, wherein d_(p)=d (modulo λ(p)), d being a predetermined integer.
 8. A method according to claim 6, wherein, d_(q) and q being given integer numbers, with hcf(p,q)=1, step b) consists of performing the following steps: testing whether e_(i)d_(p)=1 (modulo λ(p)), if such is the case, and if e_(i)<λ(p), then e=e_(i) and storing e with a view to its use in calculations of the said cryptography algorithm, if such is the case, and if e_(i)≧λ(p), then testing whether e_(i)d_(q)=1 (modulo X(q)); if such is the case, then e=e_(i) and storing e with a view to its use in calculations of the said cryptography algorithm, if one of the above two test is not satisfied, reiterating the previous steps using another value of e_(i) and if no value of e_(i) can be attributed to e then noting that the calculations of the said cryptography algorithm using the value e cannot be made.
 9. A method according to claim 8, wherein d_(q)=d (modulo λ(q)), d being a predetermined integer.
 10. A method according to claim 6, wherein the cryptography algorithm is based on an algorithm of the RSA type in CRT mode.
 11. A method according to claim 1, wherein e _(i)=2¹⁶+1.
 12. A method according to claim 1, wherein e_(i)=3.
 13. A method according to claim 1 and according to which a value e_(i) has been allocated to e, wherein it consists of obtaining, at the end of a private operation of the RSA algorithm, a value x from a value y and in that the said calculation using the value e consists of verifying whether y=x^(e) modulo N, N being a predetermined integer number.
 14. An electronic security component, comprising calculation means, a program memory and a working memory and data communication means, wherein it implements the method according to claim
 1. 15. A chip card comprising an electronic component according to claim
 14. 